Posted
by
timothy
on Monday April 18, 2005 @05:46PM
from the he-calls dept.

Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."

Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful. Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.

rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.

ActiveX and a lot of spyware is contained in windows when running as non-administrator. It's running as admin (like most people do), that cause the majority of problems with things.

This kind of talk is pandering to the lowest common denominator of user. Honestly, I feel users SHOULD learn a little bit about privileges before being handed the machine, and clicking on that file attachment.

I know Slashdot attempts to soundbite things just like any other modern news media, so I'll quote:

Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

MySQL, for instance, runs as a separate user. If I so desired, I could limit the login / password for my MySQL account to only allow row INSERTs and SELECTs, but no DELETEs or DROPs. If someone were to break into my account, they could see my data, but at least they couldn't delete from the table. As root, they could stop and start the actual service, and wipe out the whole directory for that matter.

I generally see what he's saying about data being king. But if your data is that important, you'll have other safeguards for protecting it, typically via (dun dun dun), user management! For instance, keep your accounting files under a different user, home directory chmodded to 700. Stuff like that.

Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit.

Cars happen to have seat belts. Roads also have speed limits, so this analogy is flawed.

The best way for Linux to break into the market isn't to emulate windows entirely. The best way is to take the best of what windows has to offer, and augment it with the best of what Linux has to offer. After all, look at Firefox. Firefox didn't choose to adopt ActiveX, or adopt Microsoft's proprietary style transitions, or render CSS in the same broken way, right? Neither should Linux, or in this case, Linspire.

Even if user data is the most important thing, if you run as root on a multi user box you put every users data at risk instead of only your own.

The other thing, and this isn't easy to do in many OS's, that would be nice is granular escalation of privledge. As you point out in your SQL example, if you need someone to do inserts you shouldn't have to allow them to delete.

Even on a single-user system, there is a damn good reason to run non-root: otherwise, if an attack makes its way in, you'll have no way to know about it. That's because every utility you could use to verify the integrity of the binaries and libraries and kernel you use can be altered by root.

Not everyone takes proper advantage of the root privelege separation. Popping up dialog boxes asking you to enter your root password, for example, was a terrible design decision on the part of most distros. And sudo

I should be able to specify that a particular UID can listen on ifname:80

Have you looked into selinux? I don't know if it allows port 80 access from an initially non root user, but it allows you to run a locked-down root process. Problem is that it's apparently very complicated so only supports a scant few products out of the box. But web serving is one of them.

What we lack is that fine tuning - I should be able to specify that a particular UID can listen on ifname:80, not kick off a process as root, then setuid it...

Or you could run the process non-root and setup iptables rules to redirect port 80 requests to a port a non-root user can open. I think one can also set rules so that iptables only allows certain incoming ports to certain user accounts, so that no one else can run their own apache and take over the port, although I am not 100% sure on this.

Some more information for you.. this is an blurb from the iptables man page

----------------

ownerThis module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the given effective user id.--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.--pid-owner processid
Matches if the packet was created by a process with the given process id.--sid-owner sessionid
Matches if the packet was created by a process in the given session group.

------

You can filter network traffic based off of the same system that you can use to filter access to files. Even more fun is the ability to filter network traffic based off of a process id.

That's why you set the/home directory to non-executable. No program, including rm, will walk into it unless you are root. Note that this doesn't affect the ability of non-root users to access any correctly permissioned sub-directory of/home.

Yes. That's a good thing, for the reasons described in the parent post. It bears repeating that he did NOT say to set/home/* non-executable, but only the/home/ directory itself. This allows users access to subdirectories of/home/, but only the ones they know about independently.

An "ls -l --recursive/home/" will fail to find any world-readable directories, because it won't be able to get a listing of/home/

An "ls -l/home/bob/public_stuffs" will work just fine, however, with the permissions set properly.

as per this comment [slashdot.org] below (just bringing it up to make it more obvious). chmod a-x/home keeps you from doing anything in/home or any subdirectory, but will let you list/home; chmod a-r/home keeps you from listing/home but will let you do stuff in/home/bob.

Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful. Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.

He's not talking about daemons--presumably apache, mysql, etc. are still run as a separate user under Linspire, as they are in Debian. There's no reason to change that, since those users don't have usernames that people need to enter.

He's talking about the user account that's used by the real physical user of a desktop system.

In that case, no local exploit is needed--the attacker either uses sudo, or just sniffs the password the next time the user uses su (or whatever graphical equivalent pops up next time they try to upgrade some software).

rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.

For all the talk about it, I don't think I've ever actually known anyone to do the classic accidental rm -Rf / as root. Although I have heard of somewhat similar catastrophes. I doubt the typical gui/finder-like interface makes this so easy, but perhaps I'm wrong. In any case, as he points out, in the case of a single-user desktop, the most important data is in/home/joeuser. Once "joeuser" has deleted that, they're almost back to square one anyway.

I don't think I've ever actually known anyone to do the classic accidental rm -Rf / as root.

I did.

I had two hard drives with RH on them, one slightly newer. I didn't want to upgrade my main system and risk it going all screwy, so I just took out the HD, put in a blank one, and installed the new system. Then I put my old HD in usb enclosure, copied over everything I needed, and then decided I'd erase the old drive. I had it in/mnt/usbhd, and of course, the directory structure looked practically identical to my new system from there on down. I mucked about making sure I had copied over everything I wanted, figured I was all set, and then, with the intent of going to / of the usb drive, I typed "cd/" and them "rm -rf *". I walked away for a while....

So I get back -- anyway, you can imagine the sick sort of dizy feeling that mistake can generate as one slowly begins to comprehend the magnitude of one's error. It only takes a second, one stray thought - "do I want a coke or a coffee" - while typing and out comes a "cd/" instead of a "cd/mnt/usbhd".

Keeping in mind Linspire is totally Desktop-centric, I can see why they might have a radically different view on the permissions system from most existing Linux users.

I've already read lots of lengthy posts trashing this contrarian point of view. And they have a lot of good points, as yours does, but ultimately this reads like a single-user vs. multi-user culture clash.

The fact is that on any operating system when you have a single, important user who runs malicious code, it doesn't matter much whether they're root or not, unless the machine has a security model more fine-grained and well-integrated than anything currently in wide use.

If that user can access their own files, then their own files can be destroyed. If that user can access the internet, then the compromise can also send their files over it. Or it can simply make them a spam bot. Or a relay. If that user has an address book, then its contents can be targets for viral propagation. And so on, and so forth.

Frankly, to do most things attackers want to do, "root" is unnecessary. Nothing within the unix "user management" repertoire really lets you deal effectively with this problem, and what few solutions you do have are, let's be honest, ugly, cumbersome, evil hacks.

What stops all this? A real, heretofore unknown high-level security model, that actually says "The email program can access stored email data, preferences, and can talk to the network on this port, to these hosts" and "the word processor cannot talk IRC" and so forth. This requires a rich resource model, rethinking data storage metaphors, the whole nine yards. Unix does not have this. Windows hosts only have it in the crudest and most limited form with "personal firewalls" that to some extent at least police the network activities of applications.

So for all the Unix folks, of course, this disdain for the security model is heresy, but for the desktop world (and really, servers benefit greatly from a fresh perspective as well), it's not such a bad point. Unix lacks a security model rich enough to be truly useful to everyday users, and by extension, companies like Linspire that cater to them.

I totally agree with you about privilege levels. I was all about running as a non-privileged user. That was until realism and idealism clashed. Some programs literally won't work right without for example administrator rights on Windows. In the corporate environment, at least the Windows corporate environment, there are too many programs that need administrator privileges. Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

While this is a Windows problem, it can result in a misconception that could end up being applied to other platforms. If people are used to using administrator privileges because of programs requiring them, they might think that they'll have to do the same on Linux and other systems. Avoiding Microsoft's mistakes is one thing. Undoing its influence is another.

Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

1) A lot of programs where this happens can be fixed by adjusting configuration, or copying registry keys rather than giving the user full Admin rights.

2) Developers who write software that absolutely requires Administrative rights for common use, and the program is not designed to alter fundamental hardware or OS configuration (such as a registry editor or a graphics driver tweak utility) are incompetent and should be killed.

...Some programs literally won't work right without for example administrator rights on Windows. In the corporate environment, at least the Windows corporate environment, there are too many programs that need administrator privileges. Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

In my shop, administrative rights are strictly limited, and so I see this effect also. There is some Kodak camera-handling software that complains if you run it without administrative rights (though it seems to work just fine) and a weather display application that fails like Citrix Client unless it is run as an administrator. I am sure there are other examples.

My answer to this class of problems is to declare the software not working, and suggest that the user ask the vendor for a version that will run without administrator privileges. I have yet to see a software vendor respond positively to this request, but in the long run I think it is the only solution. I am not willing to give my users administrator privileges so they can run some poorly-written application!
John Sauter (J_Sauter@Empire.Net)

Don't you get it? He sure does! You see, Windows has 95% of the users, and 99% of the virusses. By making it easier to hijack the system, he hopes to attract some of those great Windows hackers to Linux. Inevitably, users will follow when they see their favorite virusses are now also available on Linux!

In the future he'll be making statements like "Passwords are for pussies!" and "Bah, firewalls, a lot of hot air I tell you!". It's part of the plan..

I ghost my machine every week or two, it seems to work fairly well as far as data protection goes. I think that if you properly back up, then the amount of time saved by running as root is actually higher than the time spent when disaster strikes from running as root.

I really think the usage model is important. If you use linux like a windows user, and are constantly installing desktop applications (i.e. games, office apps, etc.), then the convenience of running as root is difficult to beat. If, on the

Your arguments all make sense, but notice how some of them really apply more to a server. For instance,

MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user

Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.

Running something like apache as root, and any vulnerability in programs

That's fine, but he has a point. How much actual real-world good does that do? It does plenty of theoretical good, but so does making the speed limit 10 MPH. By far the better solution is to make sure that the system is safe from remote attacks.

Which is easier: running a program as non-root or ensuring that it has no remote vulnerabilities? And can you be as sure about the second one as you can be about the first?

Elevators go up and down. The only thing that straightforward on a computer is the CD drive (and even that sometimes causes my system to freeze:-) )

I'm not suggesting that the usability of computers cannot be improved; far from it. But just as some people are simply very bad drivers, some people will not be able to use some programs because they don't have the training, they aren't willing to practice, or they just don't "get it". Trying to cater to these people by writing programs that a 5-year-old co

I'd like to add the fact elevators didn't always have light-up buttons labelled for each floor. There used to be a lever to make it go up or down. Stopping at a floor was a skill. It was more convenient to have an operator than have people miss the floor by 3 feet and break their ankles climbing out, or maybe cutting each other in half by accidentally bumping the lever when exiting.

Now there is a much simpler and intuitive interface that anyone can use, so a dedicated operator is not needed (though I hear Congress still has elevator operators so those busy politicians don't have to worry about breaking their nails, or something).

If you had a computer with a set of buttons for each of a few trivial operations available to the user, and those are the only operations, it probably doesn't matter if you run as root or not.Such a system would also suck as a general purpose home computer.

If you're going to do anything beyond trivial actions, and perhaps getting into complex stuff that you don't necessarily understand, its probably best NOT to be running as root.

Think of it as 2 sets of operations:

- the ones that can mess up your stuff- the ones that can mess up the whole system

Both sets have the ability to wipe out your data, but the latter can wipe out other people's data, critical system files, raw hard drives... pretty much screw your data, and your machine.

Both your user account and root have the ability to mess up your stuff. A regular user account typically cannot mess up other accounts' data or the operating system, without using "su" or "sudo" or some other method to escalate privliges.

MacOSX has root separate from the user account. A user can be an "Administrator", which gives the user sudo capability. GIU operations (software installs, editing user accounts, and other system configuration) do a graphical equivalent to sudo, prompting the user for their admin password. Its not that complicated. Its an extra layer of protection, and lets the user know that they're doing something out of the ordinary. Its not that complicated.

That sounds like a workaround to make up for a design flaw in the command-line interface to me.

How is this a design flaw? If you ask me, it is the command-line's greatest strength. You tell it to do something and it does it. If you wanted to be safe and have it confirm your request before it does each and every action you shouldn't specify the 'force' option. This is a GOOD THING!

Of course it is a good thing. If you go the other way you make it harder to do the right thing whenever you figure out what that may be. Coddling the users makes systems insecure, overbearing and uncooperative. The GP is a certified moron for posting in a linux thread that an administrator shouldn't be able to do whatever the hell he pleases.

Computers are the most complicated tools that _everyone_ can use but few are willing to learn. Hey maybe longhorn will meet this need, but I bet you Microsoft does

It was a dark and stormy night. Had a few beers, I was tired. I was young and did not fully comprehend the power I was weilding. I needed to remove/etc/ppp/dilvish before giving up the machine to the new admin. I typed 'rm -r/etc' and my right pinky was getting lazy from my too long of session at the keyboard and the return key was hair trigger. I didnt mean to shoot the machine, but what is done, is done. Or rather I spent the next 48 hours recovering files one inode at a time.Only then did I comprehend

The "users should have to learn" mentality is what keeps computers complicated and difficult to use.

Actually, my opinion is and always has been that assuming users are stupid and incapable of learning the most basic idioms is the real problem with computing. I mean, if we can't even expect to teach people what a "directory tree" is and means, how do we expect them to learn to organize information? Sure, google can claim you should "search instead of organize," but the fact remains there are times when s

"... however, your comment about FireFox not adopting ActiveX, I would put to you, is actually not a good thing."

Lack of ActiveX support actually prevented my previous company from switching to OpenOffice or Mozilla. The attitude that it's better that these two apps don't support it seriously pisses me off. If Microsoft can't get away with being arrogant, than the OSS Community can't either./rant

Since a decent majority of open source developers actually give, to use your phrase, a flying fuck about standards, it's generally not in their best interests to promote use of something that isn't a standard, will never be a standard and would be completely undesirable as a standard. Additionally, if it can't be ported across architectures then including it would do a hell of a lot of damage to firefox's geek cred, and hence developer base.

Having said that, I think a plugin that allowed you to use activeX is a cool idea. I just don't think that tying the browser down to any one platform is a great idea. If you're particularly keen to produce an ActiveX version, go fork the codebase.

Um yeah. A Windows user trying to switch to FireFox or OO doesn't give a flying fuck if AX will work on Linux or not. Pardon my bluntness, but you're rationalizing NOT putting a feature in that some people need. That's bullshit.

I'd rather have a true cross-platform product. MS can keep their shit to them selves.

Besides, ActiveX is a security nightmare. It is simply not worth it; whatever the problem is, ActiveX is never the solution:-)

"It is simply not worth it; whatever the problem is, ActiveX is never the solution:-)"

*Sigh* This is what I'm talking about! I know AX ain't great. I'm no fan of it, either. But when it's needed, it's NEEDED. Since OO and FireFox wouldn't support it, we had to use a MORE INSECURE office and browsing app! You cannot honestly tell me that the OSS Community couldn't develop something to support AX and maintain security. Heck, all it would really need is to be off by default and the user has to either tu

Heck, all it would really need is to be off by default and the user has to either turn it on or install a special module.

With ActiveX, you're using IE as a custom client UI for your apps, not as a web browser. Why should other web browsers turn themselves into a general-purpose Win32 UI platform? That's not their focus.

What would be wrong with just staying with IE for your Win32 application? You can still keep it around just as a container for your custom-coded UI clients.
If you want to actually *browse* the wold-wide-web instead of running little Win32 applications, nothing's stopping you from using other more modern browsers.

Is there som obstacle to adding support for activeX in only the windows version? Like this:

Default turned off. If a page has some activex thingys, block, display small text that a thingy was blocked. If user wants to run it, click here and blabla, the url gets added to "Allow" list. Done. Other platforms need not even bother.

Well, what the grandparent is pissed at -- and he has half a point -- is that firefox COULD support activex -- on windows only, by using the activex api.

However, activeX is a security nightmare. And regardless it *IS* a proprietary MS extension -- and nobody wants to A: support MS and their bullcrap, B: Firefox has a reputation as a secure alternative to IE. If FireFox supports the hopelessly insecure ActiveX -- they really have nothing to offer anyone anymore as their reputation is *done*.

Except that it cannot completely be an alternative to IE because IE supports something that FireFox doesn't.

Fine. But FireFox (and others, such as Mac's Safari) support something highly worthwhile that IE most definitely does not. Namely, a reasonably safe and secure browsing experience.

Some markets will opt for security and safety, using technologies that are (compared to active x) much (duh) safer and more secure.

Others will continue to endure spyware, viri, adware and various trojans and other invasive garbage. Those are "IE features" FireFox doesn't want to offer. Or let me put it this way -- they are "features" that this FF user doesn't want to be "given", because they are inevitably prefaced with the command "bend over."

I truly think that to impress ActiveX upon FireFox would be just about the worst thing the FF developers could do. FireFox provides a better experience. That's why it's doing so amazingly well. Put ActiveX in there, and that experience is going to begin to degrade. It may go as far as to be as risky to surf with FF as it is to surf with with IE.

Does anyone really want that, other than the companies who have embraced and extended Microsoft's Active-X? Is there anything truly significant you can do with Active-X that you cannot also do with Java?

Sure... you pick a technology that is proprietary to one browser, that browser starts to lose favor with the user community, and definitely, you will have work to do. Time to start studying Java. It's not time for the junk technology to be imported into FF to extend the EOL of some Active-X product.

Java was designed to be secure. It's been remarkably successful at it, too.

The argument being made here is that Active-X is dangerous. You seem to give that a nod by saying it should be off.

Fine.

However, the next implication is that it can be turned on. This is not fine. Why? Because it is dangerous. The average user does not comprehend that it is dangerous. Like the argument here that one should not run as root (which I agree with for most people in most situations) the idea is that if you're not smart enough to handle a tool, you should not be handed that tool.

It's not arrogance to say that it is not a happy worldview to see people's computers being trashed by junkware let in by badly designed software -- Active-X -- it simply isn't a good thing. You can't make it a good thing.

Now, if a company has invested time in developing for this proprietary (but very dangerous) technology, and the marketplace leaves them behind, as it is showing definite signs of doing, then if that company wants to survive, it needs to lose the dangerous technology, get with the program, and use the safe technology. That's called evolutionary pressure. I'm part of that pressure. I don't use IE. If you use IE-specific technologies on your site, you've lost me (and at least 10% of the rest of the world, and more every day.) Now, you can only ignore this for so long before you (a) solve the problem by losing the junkware, or (b) are driven from the business space by competitors who are able to recognize and resolve the problem.

From a user perspective, I'm just one guy. I won't use IE.

From an applications standpoint, I own several companies and we don't use Active-X (or Java, for that matter) as a matter of course. We do server-side apps, because (a) we have total control over them and (b) because all users, that's 100% of them, can use our apps. We give up some glitz, certainly, but we've never, ever had to give up anything important.

So my outlook does have some effect. If Active-X were to go away, it wouldn't touch me at all, other than to make the web more accessible to me and perhaps give my competitors a more stable place to stand. Do I worry about the people who invested in Active-X? No. And, really -- why should I?

Arrogant? No. I'm entitled to my opinion, just as you are entitled to yours. As for putting any thought into it, apparently you didn't notice my sig. This isn't an issue I just picked up on this afternoon. I have indeed thought about it, and this is where I ended up.

Okay, I will make it easy for you. Why does Firefox and OpenOffice not use ActiveX? Heres why:

(1) It does not work cross-platform. Both Firefox and OpenOffice work on platforms other than Windows. Both platforms keep this compatibility by not introducin technology that could possibly limit this capability.

(2) It is proprietary. You may be confused on what this means. Basically, the technology is owned by Microsoft. This very same reason is why PNG exists despite the existance of GIFs. GIF technology was proprietary and, thus, could not be placed into a product that had a open source license (Linux).

(3) Firefox has no need for ActiveX since it has, in my opinion, a better technology with XPCOM. OpenOffice, if I remember, can be extended with Java plugins. Java has built-in security unlike ActiveX. Both XPCOM and Java are cross-platform which goes back to my point #1.

(4) Active X is not very secure. You will hear this time and time again. Microsoft even knows this and turned them off by default in SP2!

Make all the excuses you want, at the end of the day what matters is if the product does what it needs to or not.

As stated in point #3 above both Firefox and OpenOffice support technologies that give them quite a bit of power to get any job done.

I have a pretty good memory and I remember correcting you on these issues before:

Good post overall. However, you're simplifying the relationship between GIF and PNG, and you imply that by including proprietary renderers in Linux that they too must be open source. This is completely incorrect, as many binary drivers, patent-encumbered applications, and even closed applications are distributed with Linux. Debian has an open-only policy, but that reflects their outlook, not a requirement of the Open Source license.

PNG was developed not because it was impossible to put GIF support in Linux, but because it was feared that Compuserve (which discovered it held a patent on one of the processes used in GIF compression / decompression) would abuse it's power on all platforms. In the early days, they talked about levying a fee on all clients, users... anything that interacted with GIFs. At which point development of PNG began. I believe CompuServe finally settled on the less unreasonable 5c per paid application that can encode GIF's, with no fee for decoders. That fee is no longer with us, as the patent has expired.

On the other hand, PNG has surpassed GIF's by adding alpha layer transparency... in other words, you can have certain pixels that are 100% opaque, or 10%, or 55% solid, or whatever. This would make working with images on the WWW so much easier, if MS would just bloody well implement proper PNG support like they promised as a feature for I.E. 4.

I think the correct answer is marketing. The gecko browsers are packed full of some really cool toys for developers. But it's very very hard to sort through it all. Every so often I start playing with various features common to Mozillaish browsers like XPI, XSLT, and Javascript. It always strikes me how much potential there is to make some very cool applications using these. One pet project of mine is to see if I could create a set of XSLT documents that would transform glade projects into XUL applications, which could be themed via css.

It's coming along pretty well, but I find it very difficult to wade through the developer documentation. XULplanet [xulplanet.com] is a great resource, and there's a few others like the DOM ref [mozilla.org] on moz.org, but it seems pretty scattered, and sometimes out dated, and sometimes it just completely disappears like DevEdge [netscape.com] (which there was some talk about being resurrected). In some cases, the only reliable documentation is the moz source [mozilla.org] itself, which is very hard to navigate without a fair bit of research.

I've never done anything with ActiveX at all, or dealt with Microsoft API's very often at all, but I've seen their documentation [microsoft.com], and it seems like its quite a bit more focused, and easy to find things.

Having had to go looking for documentation myself, I think I can see why companies would be reluctant to use Mozilla technologies in house. Is there anybody at the Mozilla foundation that deals strictly with promoting moz as a developer platform, rather than focusing on the browser itself?

Refusal to support one of the biggest vectors of spyware infiltration is not arrogant, it is common sense, at least for the average desktop user.

For the business world, admittedly, with the entrenched position of ActiveX-based systems on corporate intranets, it's perhaps a little silly and a bit of a barrier to business adoption, but for home users one of the biggest complaints about Windows is the fact their machine can be 0wned by Virtual Bouncer, CoolWebSearch, ABetterInternet and God knows how many other drive-by-installed apps and toolbars just by visiting a slightly wrong-side-of-the-tracks website.

Don't forget, as a smart businessman, he knows how to sell his product.. Logging in is REALLY hard to sell.. Even for XP users (notice the pretty typing-free login icons in XP).. If XP required people to memorize passwords to do anything, then people would be use to it, and wouldn't bitch about it in Linux. Thus to have people adopt his product, he needs to soften the hard-core UNIX advocates's argument. Plus XP has one thing over Lin-whatever-the-hell-they-call-themselves, XP has a super-root account which nobody but MS has access to. It just isn't needed for any software/hardware installation.. I'm speaking out of my hat; I don't even know much about win-Administrator.

There are some good replies here, but nobody's talked about "su" and friends.. I know su's not a user-friendly application, but damnit, I use it all the time. After several OS upgrades, whenever something fishy is going on with an application, I open a terminal window, login as a dummy userand run the application from there with a fresh configuration. Viola, proper settings, it must be my dot-files being mangled in the upgrade.. Time to hunt-save, and rm -r that dot-directory. Harder to do in gnome since they're all in a common tree. And yes, this is more of a power-user thing.

But if I want to visit some illicit web site, and I don't trust that my cookie files won't be sought out by some clever Ajax tricks (hey, it's new, we can fear it), I at least launch a different one of the dozens of install browsers, or if I'm really paranoid, I log in as the dummy user. (again takes half a second from a terminal window). With the exception of X-atom-based consolidation of browsers, so long as I run a different base application (epiphony, mozilla, firefox, galean, etc), I can have two different users displaying graphics on the X-session.

Again, I know.. power-user stuff.. But you could have (as I've pushed for in other posts) applications on the task bar launching applications of different users.. Especially if you're the distribution writer.. And ESPECIALLY if you're a single-user-signon distribution.

See NeXTSTEP and MacOS X. Users were not root. Users seem to be getting along just fine. Login optional.

Ubuntu does this too. The default installation has the root account disabled for login purposes. What few administration tasks require root access is done through sudo using the user's password for authentication. Login could just as well be automatic.

I fail to see entirely what Linspire needs continuous root-level access for.

Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

Techincally it's gaining control over your system without you knowing it and running exploitable programs as root makes that easier. If the hackers get access to your libraries, programs, etc, they can do far more damage to you by sniffing your data w/o your knowledge. Hackers aren't going to just steal your data and run. If they can gain easy access to the system they are going to modify it and snoop everything and keep getting what they came for.

Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

I am in no way a master of Linux/UNIX and I never claimed to be but even I know that if you are exploited while running something as root more damage can be done to a lot more services, files, etc, than if you were just running it as a user. It's not theoretical. It's fucking very real and it's idiots like this guy that make it easier and easier for more zombie boxes to get out there. Look at Windows... Yeah, no, we don't need Linux to end up like that too.

I want to know who the hell this guy is talking to that don't give him a valid argument. I have a feeling they are and he isn't listening.

Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.

It shouldn't even be a choice. Prompt for a password (like OS X) when something that needs root privledges runs. If it has succeeded with the Mac then it can with Linspire users too. If you are so concerned about making the users have a positive Linux experience rewrite the dialog boxes when they ask for "root priveledges" so that they are human readable. Don't just eliminate it and say that there's no valid reason not to. Taking the easy way out doesn't solve the problem.

Since when is Michael Roberson a trusted source? He's an asshole that's just into pushing the envelope and making waves (remember Lindows and MP3.com?) Right now he's doing exactly the same thing. "See, those Linux users are trying to make it hard for the layperson to use "their" OS and I'm trying to make it easy. Listen to me! I'm trustworthy!"

If this Michael guy has ever seen a rooted Linux system with one of those groovy kernel modules loaded to hide the doings of the people that rooted the box, then he would guess a 2nd time about his assertion that its OK to run Linux as root all the time.

You think that WIndows zombie boxes are a problem? However, those systems are able to be fixed (to my knowledge, don't use windows). A rooted box with a kernel module installed to hide itself, has to be completely restored.

I'm glad you mentioned OS X. I believe that it is a beautiful compromise between running as a user and asking for permission to escalate the privileges when needed. The best part of it is that it _rarely_ asks for administrator privilege, and when it does it makes sense. If someone opened an email attachment and it asked for administrator privileges, that would be a bit fishy (although some people would fall for it).

An easier-to-read 'formatted-for-print' version is here [hexus.net]. (Not here [hexus.net], as I tried after decoding the base64-encoded GET, but that's beside the point.)

Not running as root works like this. Your data is no more inherently safe than it is when you/are/ running as root, but nobody ELSE'S data will fall prey to your screwup, nor will the central integrity of the system. (For granny, this means that grandson Billy can ssh in, recover this morning's backups from the write-once partition, and she can keep going, having lost minimal data.)

Running as root is like pointing a loaded gun at everyone just in case they're a criminal.

Not running as root is like fastening your seat belt. Sure, you're not intending to get in an accident...

Running as root is like driving down the highway with your hood open and your oil cap off.

You've got to be kidding me. Is this just a big troll or is this guy actually that ignorant? Who the hell has he been talking to anyway? The reasons for doing day-to-day things as a non super user is one of the most basic security concepts ever. Even my parents understand this. The reason you don't run everything as root is to avoid COMPROMISING THE ENTIRE MACHINE if some random application has a vulnerability. You don't want each and every little program you run to potentially allow someone to gain full access to everything on your computer. Not to mention protecting the computer from the application itself. I don't want some poorly written piece of software accidentally deleting important system files or some other user's data. And how about protecting the system from the user themselves? How many people here have accidentally rm'd a bunch of important system files (or all of / for that matter) on accident? I know I have and I consider myself a very careful person when it comes to such things.

C'mon... How fucking retarded can you be?

He does _almost_ make a good argument for his case though...

Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

That statement does have some merit but it definitely isn't always true and even then, I would much rather compromise only my data than have someone gain access to the entire system. If they only get my data, that's all they get. If they gain access to the entire system there is no limit to what they can do... What if they want to setup a very well hidden rootkit and snoop around on my box (watching traffic, capture credit cards, etc. etc.) for as long as possible? Not to mention multi-user systems... A compromised super user gives them full access to EVERYONE's stuff.

And of course, after he says something nearly sensible he goes on to completely shoot himself in the foot by making another completely ridiculous challenge...

So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

What world does this guy live in? Is he completely surrounded by idiots? Remind me never to go anywhere near Linspire.

Uh well, I think he is actually that ignorant (or lost is more like it). This is the guy who started mp3.com and thought that the music industry was going to give him a big pat on the back for it and let them into their billionaires club. Even worse is how he down-talks illegal copying like it's a back-alley dirty activity, when in truth nobody is doing any worse than he has been, is, and will likely continue to do for the rest of his life. IMHO, he is the epitomy of blind love for evil systems. No ma

I think this is the fault of the command not asking for confirmation. I mean Format C: will at least ask you if you are sure. It's not like you have to clear the root directory that often that this would be a pain.

In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.

He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.

"I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't."

rm -rf/chmod 777 -R/

amongst a high seas of other things that make running as root unsane on the "woops scale"as to be in dangeour from a remote source , well if you make a conection an open conection to someone you dont know when you root then...

This is exactly the kind of attitude that I'd expect from someone that learned everything they know about computers from working with MS-DOS... he can't seem to conceive of the notion that there might be more than one person's data on a single machine!

In that case, I think running in administrator mode just makes it harder to remove the infection. I think it's trivial to trojan people into running bots that run in user space rather than system space. It's just not necessary to make such a program because it's easier to assume they are running as admin.

Well, Ubuntu Linux is set up with sudo all set up right off the bat, which is probably the way things will be setup in the future. The user can use his or her own password to get root privileges.

I think that anyone who is considering buying a PC for Lindows would be much better served buying a Mac or Mac Mini and using OS X instead. They'll spend the same amount of money and have an OS that is better-designed and is backed by a corporation and a CEO who actually know what they are talking about.

We all know the reasons not to run anything as root unneccesarily are many, but you have to think from his perspective as well. He's picturing clueless linux desktop users, using a shrinkwrapped distro at home for personal use. If they were to only log in as a user rather than root, what does it buy them? Whoever gets them to run malicious code by exploiting them or their software will still get access to all of their data, since it was all stored as that user. And they still get access to backdoor all of the software they use, since they can screw the user's environment (PATH, LD_LIBRARY_PATH, etc).

About the only thing not running as root saves the poor nontechnical home end-user from is wiping out their hard drive, but all the data that's important to them contained therein is still destructable.

I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.

He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.

It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image [linspire.com]of him?Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*

Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...

I can't take this guy seriously. He's the Billy Mays [atmospheric-violence.com] of the Linux world.

Just read his responses....[a few of my repiles]

Jo: On the security front, I noticed during the presentation that you were running everything as root. Is that really a wise idea, to train users to run everything as the one user who can mess everything up whenever they feel like it? Should you not try to teach one basic UNIX security idea, that you really don't want to run things as root?

Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data.[Mikey, that's like saying the people in my car are important, but to hell with the rest of the motorist on the highway. Pretty reckless and selfish. Maybe Linspire should should start "LinNet-Home of the Bots and Trojans] If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.[Mikey, what is a bot? And how are they born?]

Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.

Running as root is dangerous, but is more dangerous than the average home user is used to? Probably not. The average user probably runs windows from a single user account with admin rights. For most people, the recycle bin is the only protection from stupid mistakes.

Malicious software can always trick user into giving it administrator access. But if you always login and root, one bad mouse gesture in file explorer can make your system unusable. Just yesterday I saw someone with a master degree trying to store MP3 files in/Library on MacOSX.

Besides, if you have a family PC why would you want everyone messing up each other's files if they can have nice separate home directories?

Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares?

The most valuable thing on my computer is probably the user name and password to my internet banking facility.. Not that I store them on the machine but I do type them in. Maybe running as non-root does give you access to all the data in a users home dir but it sure makes it more difficult to overwrite those libraries he's talking about with keylogging trojans that will harvest my passwords.

Before you blow everything out of proportion, take a second to look at a few things from a different perspective:

1) The end user of Linspire is most probably a windows user trying to switch to something cheaper. The odds of Linspire being heavily used in a multiuser environment are bleak at best.

2) He makes a valid point, the most valuble information on your computer are things stored in your home directory. Credit card information, social security, emails, etc. Guess what . . . `rm -rf` will eliminate all of that even if you aren't root. Who cares if you accidentally wipe an X library, a reinstall will fix that, it won't get back your emails and resumes.

3) Everyone's argument for the flaw of running as root seem to stem from services running as root, which is something the enduser of an operating system like Linspire shouldn't be expected to fix anyway, nor will most Linspire users be running apache servers and mysql servers, I'm just guessing at that.

A windows user or a linux newbie doesn't want to remember several account passwords just to change the IP address of their computer, or to reboot, or mount an external hard drive, or start Samba, etc. They want to know that they have permission to do those things out of the box. That's how windows is set up, that's what they want. Security should be handled by turning chrooted service invocation, firewalling, etc.

This isn't FreeBSD, tailor to your customers and make them happy, without them you don't have a business.

The reason that Robertson didn't get the answer to why not to "run as root" is twofold.

1.) He didn't want to hear the answer when it was told him.

2.) probably 99% of people who know that you shouldn't "run as root" don't know absolutly why themselves. They have a pretty good idea, but someone they respect and trust (and who is correct) told them it was stupid.

The other 1% who could have told him why, weren't consulted. Nor will they be.

It's no accident that Linspire (Lindows) is modeled after Windows, and it contains Windows' greatest fundamental security flaw.

There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".

MIT Kerberos [mit.edu] takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.

Capability-based systems [erights.org] essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.

Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1 [stiller.com], 2 [reflex-magnetics.co.uk]). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.

When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!

Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.

Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.

Unfortunately, a normal user can install any browser plugin that they want to. Running as root would simply allow the user to install plugins for other users as well. For the curious, you can install them in $HOME/.mozilla/plugins (among other locations). Running as a normal user will not prevent your box from becoming a zombie, unless you have some kick-ass SELinux rules in place.

One word: Spyware. You run as Administrator, it hoses your machine. If developers would actually write software so that users didn't have to run as Admin just to open up notepad, then spyware wouldn't be anywhere near as big a problem as it is right now.

Now take that one step further and consider a malicious virus being accidentally executed by the same user that thought Bonzi Buddy was cute. Spyware is bad, but that virus might, oh... kill all your.jpg.doc and.mp3 files.